<?php
/*-------------------------------------------------------+
| PHP-Fusion Content Management System
| Copyright (C) 2002 - 2008 Nick Jones
| http://www.php-fusion.co.uk/
+--------------------------------------------------------+
| Filename: jquery_shoutbox.php
| Author: bartek124
| E-Mail: bartek124@php-fusion.pl
| Web: http://bartek124.php-fusion.pl
+--------------------------------------------------------+
| This program is released as free software under the
| Affero GPL license. You can redistribute it and/or
| modify it under the terms of this license which you
| can read by viewing the included agpl.txt or online
| at www.gnu.org/licenses/agpl.html. Removal of this
| copyright header is strictly prohibited without
| written permission from the original author(s).
+--------------------------------------------------------*/
require_once "../../maincore.php";
require_once INFUSIONS."jquery_shoutbox_panel/jquery_shoutbox_functions.php";

if(isset($_POST['action']) && $_POST['action'] == "captcha") {
if (!iMEMBER && $settings['guestposts'] == "1") {
			include_once INCLUDES."securimage/securimage.php";
			$securimage = new Securimage();
			if (!isset($_POST['sb_captcha']) || $securimage->check($_POST['sb_captcha']) == false) { echo "err"; return false; } else {echo "ok"; return false;}
	} else {
		echo "ok"; return false;
	}
}

if(isset($_POST['action']) && $_POST['action'] == "add") {
	require_once INCLUDES."flood_include.php";
	if (!flood_control("shout_datestamp", DB_SHOUTBOX, "shout_ip='".USER_IP."'")) {
		$shout_message = str_replace("\n", " ", $_POST['message']);
		$shout_message = preg_replace("/^(.{255}).*$/", "$1", $shout_message);
		$shout_message = trim(stripinput(censorwords($shout_message)));
		$shout_name = trim(stripinput(censorwords($_POST['name'])));
	    if($locale['charset'] != "utf-8") {
			if(function_exists("iconv")) {
				$shout_message = iconv("UTF-8", $locale['charset'], $shout_message);
				$shout_name = iconv("UTF-8", $locale['charset'], $shout_name);
			} else {
				$shout_message = utf2iso($shout_message);
				$shout_name = utf2iso($shout_name);
			}
		}
		$result = dbquery("INSERT INTO ".DB_SHOUTBOX." (shout_name, shout_message, shout_datestamp, shout_ip) VALUES ('".$shout_name."', '".$shout_message."', '".time()."', '".USER_IP."')");
	}
} else if((isset($_POST['action']) && $_POST['action'] == "delete") && (isset($_POST['shoutid']) && isnum($_POST['shoutid']))) {
	if ((iADMIN && checkrights("S")) || (iMEMBER && dbcount("(shout_id)", DB_SHOUTBOX, "shout_id='".$_POST['shoutid']."' AND shout_name='".$userdata['user_id']."'"))) {
		$result = dbquery("DELETE FROM ".DB_SHOUTBOX." WHERE shout_id='".$_POST['shoutid']."'");
	}
} else if (iMEMBER && (isset($_POST['action']) && $_POST['action'] == "ledit") && (isset($_POST['shoutid']) && isnum($_POST['shoutid']))) {
	$esresult = dbquery("SELECT ts.shout_name, ts.shout_message, tu.user_id, tu.user_name FROM ".DB_SHOUTBOX." ts
			LEFT JOIN ".DB_USERS." tu ON ts.shout_name=tu.user_id
			WHERE ts.shout_id='".$_POST['shoutid']."'");
	if (dbrows($esresult)) {
		$esdata = dbarray($esresult);
		header("Content-Type: text/html; charset=".$locale['charset']."\n");
		if ((iADMIN && checkrights("S")) || (iMEMBER && $esdata['shout_name'] == $userdata['user_id'] && isset($esdata['user_name']))) {
			echo $esdata['shout_message'];
		}
	}
} elseif (iMEMBER && (isset($_POST['action']) && $_POST['action'] == "sedit") && (isset($_POST['shoutid']) && isnum($_POST['shoutid']))) {
	if ((iADMIN && checkrights("S")) || (iMEMBER && dbcount("(shout_id)", DB_SHOUTBOX, "shout_id='".$_POST['shoutid']."' AND shout_name='".$userdata['user_id']."'"))) {
		$shout_message = str_replace("\n", " ", $_POST['message']);
		$shout_message = preg_replace("/^(.{255}).*$/", "$1", $shout_message);
		$shout_message = trim(stripinput(censorwords($shout_message)));
		if($locale['charset'] != "utf-8") {
			if(function_exists("iconv")) {
				$shout_message = iconv("UTF-8", $locale['charset'], $shout_message);
			} else {
				$shout_message = utf2iso($shout_message);
			}
		}
		if ($shout_message) {
			$result = dbquery("UPDATE ".DB_SHOUTBOX." SET shout_message='".$shout_message."' WHERE shout_id='".$_POST['shoutid']."'".(iADMIN ? "" : " AND shout_name='".$userdata['user_id']."'"));
		}
	}
}

if(isset($_POST['get_shouts'])) {
	header("Content-type: text/xml");
	header("Cache-Control: no-cache;");

	$result = dbquery("SELECT ts.*, tu.user_id, tu.user_name FROM ".DB_SHOUTBOX." ts
		LEFT JOIN ".DB_USERS." tu ON ts.shout_name=tu.user_id
		ORDER BY ts.shout_datestamp DESC LIMIT 0,".$settings['numofshouts']);

	$o = "<?xml version=\"1.0\" encoding=\"".$locale['charset']."\"?>\r\n";
	$o .= "<shoutbox>\n";
	while($data = dbarray($result)) {
		$access = (((iADMIN && checkrights("S")) || (iMEMBER && $data['shout_name'] == $userdata['user_id'] && isset($data['user_name']))) ? 1 : 0);
		$o .= "\t<shout>\n";
		$o .= "\t\t<shoutid>".$data['shout_id']."</shoutid>\n";
		$o .= "\t\t<authoruname>".$data['user_name']."</authoruname>\n";
		$o .= "\t\t<authorname>".stripinput($data['shout_name'])."</authorname>\n";
		$o .= "\t\t<datestamp>".showdate("shortdate", $data['shout_datestamp'])."</datestamp>\n";
		$o .= "\t\t<message><![CDATA[".sbwrap(parseubb(ajax_parsesmileys($data['shout_message'])))."]]></message>\n";
		$o .= "\t\t<access>".$access."</access>\n";
		$o .= "\t</shout>\n";
	}
	$o .= "</shoutbox>";
	print($o);
}
?>